Twenty Year Anniversary

WordPress OAuth2 Complete 3.1.3 Insecure Random

WordPress OAuth2 Complete 3.1.3 Insecure Random
Posted Aug 12, 2015
Authored by Tom Adams

OAuth Complete for WordPress version 3.1.3 uses a pseudorandom number generator which is non-cryptographically secure.

tags | advisory
MD5 | 8f4a9b572a17eca06b693007b573ad5b

WordPress OAuth2 Complete 3.1.3 Insecure Random

Change Mirror Download
Details
================
Software: OAuth2 Complete For WordPress
Version: 3.1.3
Homepage: http://wordpress.org/plugins/oauth2-provider/
Advisory report: https://security.dxw.com/advisories/the-oauth2-complete-plugin-for-wordpress-uses-a-pseudorandom-number-generator-which-is-non-cryptographically-secure/
CVE: Awaiting assignment
CVSS: 10 (High; AV:N/AC:L/Au:N/C:C/I:C/A:C)

Description
================
The OAuth2 Complete plugin for WordPress uses a pseudorandom number generator which is non-cryptographically secure

Vulnerability
================
The following refer to the generateAccessToken() function in library/OAuth2/ResponseType/AccessToken.php, and the generateAuthorizationCode() function in library/OAuth2/ResponseType/AuthorizationCode.php.

These functions attempt to generate secure auth tokens, but do not use the WordPress random number generator. Instead they use a series of fallback calculations depending on which PHP version is being used. Some of these calculations are not crypographically secure:
The first is mcrypt_create_iv(100, MCRYPT_DEV_URANDOM). MCRYPT_DEV_URANDOM is expected to change to a different random value whenever it is called, but on Windows, on older versions of php it is known to be a constant value
if no other functions (e.g. /dev/urandom) are available then the access token is generated solely using mt_rand(), microtime(), and uniqid().
mt_rand() (Mersenne twister) is not a cryptographically secure pseudorandom number generator.
According to the documentation mt_rand() is also biassed towards even return values in some circumstances.
According to the documentation uniqid() is as secure a PRNG as microtime().


Proof of concept
================
See the documentation:
http://www.php.net/manual/en/function.uniqid.php
http://www.php.net/manual/en/function.mt-rand.php

Mitigations
================
Upgrade to version 3.1.5 or later.
If this is not possible then ensure that you are using a recent version of php (at least 5.3), or disable the plugin.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-04-16: Discovered
2015-07-21: Reported to vendor by email
2015-07-21: Requested CVE
2015-08-10: Vendor responded
2015-08-11: Vendor confirmed fixed in version 3.1.5
2015-08-12: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close